What are the biggest threats to Bitcoin ETFs?

Author: David Schwed, former managing director of Galaxy Digital, CoinDesk; Compiled by: Songxue, Golden Finance

While I wait with the rest of the world for the first Bitcoin ETF to be approved, there is one thing This has always bothered me:With a few exceptions, including Fidelity and VanEck, almost every applicant for a spot Bitcoin ETF intends to use Coinbase as its custodian.

As a blockchain-focused cybersecurity leader, this concentration of risk, the inherently high-risk nature of cryptocurrency custody, and more give me pause.

It’s not Coinbase itself that worries me. The company has never been the victim of a known hack, which explains why so many traditional institutions trust its expertise. However, there is no such thing as an unhackable target – given enough time and resources, anyone can be compromised, a lesson I’ve learned throughout my career at the intersection of cybersecurity and asset management.

What worries me is the extreme concentration of assets in a single custodian. This situation is worrying in itself, given the cash-like nature of crypto assets.

Perhaps it’s time to reconsider the “qualified custodian” designation, a regulatory sign-off that in its current form does not necessarily ensure that blockchain-based risk assets are necessarily (or preferably) Protect. Additionally, digital asset custodians should ideally be subject to more oversight by well-trained regulators than they are today with stricter state and federal standards.

Today, most qualified custodians protect stocks, bonds, or digitally tracked fiat balances, all of which are fundamentally legal agreements and cannot simply be "stolen." But Bitcoin (BTC), like cash and gold, is a bearer instrument. A successful cryptocurrency hack is like a Wild West bank robbery in that once in the hands of the thief, the money is gone.

So, for a cryptocurrency custodian, all it takes is one mistake and the asset can be completely wiped out.

We also know that the power of global cryptocurrency crime is strong and determined. To take just one notorious example, North Korea's Lazarus Group hacking team is believed to have stolen $3 billion worth of cryptocurrency over the past six years, with no signs of stopping. Inflows into Bitcoin ETFs are expected to exceed $6 billion in the first trading week, making the funds a prime target.

If Coinbase ends up with tens of billions of Bitcoins in its digital vault, North Korea could easily organize a $50 million operation to steal the funds, even if it takes years. Threat actors like the Russian Cozy Bear/APT29 group may also find it increasingly attractive to go after institutional cryptocurrencies as these pools of funds become larger (and likely to become larger).

This is the level of threat that major banks are prepared to deal with. A widely used risk management model among financial institutions employs three tiers of supervision. First, business management designs and implements security practices; second, the risk layer monitors and evaluates these practices; and third, the audit layer ensures that risk mitigation practices are indeed effective.

The bottom line is that traditional financial institutions will have outside auditors and outside IT oversight, as well as oversight from numerous state and federal regulators. Many, many eyes look at all aspects of risk and safety.

But these multiple layers of redundancy and nested fault protection require one seemingly simple thing: headcount.

When I was global head of digital asset technology at BNY Mellon, about 1,000, or 2%, of the investment bank’s approximately 50,000 employees were in security roles. Even after its recent expansion, Coinbase still has fewer than 5,000 employees. BitGo is also a qualified custodian certified in New York State and other jurisdictions, but there are only a few hundred of them.

This is not to question the intentions or skills of any of these organizations or their employees. But real oversight requires redundancy, and these new agencies may struggle to provide enough redundancy to secure tens of billions of dollars in bearer notes.

Before these numbers get even bigger (and more attractive to bad actors), it’s long past time to improve the cybersecurity standards for qualified custodian designations. Currently, this comes with a trust or banking license, which is overseen by state and federal regulators. These financial regulators are primarily focused on traditional banking, not cybersecurity experts, and certainly not cryptocurrency experts. Understandably, they focus on balance sheets, legal proceedings and other financial operations.

But these are not the only important oversights for cryptocurrency custodians, or even necessarily the most important. There are currently no industry-wide standards for the cybersecurity and risk management practices of cryptocurrency custodians, which means that the status of “qualified custodian” is not as reassuring as it sounds. This exposes not only investors, but entire nascent industries, to the risk of non-transparency, with potentially dire consequences.

The approval of a series of Bitcoin ETFs is just the latest step in the digital asset’s continued integration into the financial system. You don’t have to believe crypto predictions — just ask legacy giant BlackRock, which backs ETFs. As these developments continue, regulators with a genuine interest in investor protection will focus on adapting to this new world:In this new world, rigorous cybersecurity standards are as important to financial stability as honest disclosure and financial audits .